Delayed Australian data breach notification bill lands

Australians will be informed of certain breaches of their personal information under new laws being proposed by the Turnbull government, but only if the company or organisation breached turns over $3 million in revenue a year.

Companies at present aren't legally required to disclose breaches, but they can do so voluntarily.

The government was meant to introduce the bill into parliament before the end of the year but left it until the last sitting day of the year to release an exposure draft before its likely introduction into parliament next year.

If passed, the bill will require companies to disclose a breach within 30 days if it concerns personal information and "there is a real risk of serious harm to any of the individuals" to whom the information relates.

Advertisement

At present, companies, federal government agencies and various other Australian organisations are not required to disclose breaches by law. Nothing stops them, however, from voluntarily disclosing a breach.

Vice chair of the the Australian Privacy Foundation, David Vaile, said that the $3 million threshold of compliance — something that has existed in the Privacy Act for some time — was "a potential problem".

"A backyard data-munging operation can now cause as much damage, and release as much data (but may be less scrupulous or well defended) than any big bank, telco or government agency," he said.

Chief executive officer of the Consumer Action Law Centre, Gerard Brody, agreed, saying that individuals should have a fundamental right to be informed of "any data breach involving personal information about them".

"This is not just because of potential adverse consequences caused by the release of personal information, but also a fundamental human right to autonomy," Mr Brody said.

Ty Miller, of computer security firm Threat Intelligence, said that whether or not a breach is disclosed should not be based on how much money an organisation earns but the sensitivity and the amount of data breached.

"[Under this bill] you could have a project that is collecting millions of peoples' details and not have to notify anyone affected by the breach because you are not earning any money from it."

Despite this, he said Australia needed some form of data breach notification scheme because there was a large number of security breaches occurring that were not being disclosed.

"Ninety nine per cent of organisations that we do audits on have had customer data stolen," he said, adding that very few companies reported breaches to the privacy commissioner or to affected individuals.

Tom Godfrey, a spokesman for consumer group CHOICE, also said he hoped that regardless of the legislation all companies would proactively provide data breach information to their customers

"Any company, regardless of size, should be interested in protecting their customers and notifying them when there's a real risk that their personal data could have fallen into the wrong hands," Mr Godfrey said.

Asia Pacific technology practice leader at law firm Norton Rose Fulbright, Nick Abrahams, said that while the bill was necessary and brought Australia line with the rest of the developed world, it still needed some work.

If a security vulnerability was found in a system and someone approached a company to report that they were able to access personal information but did not do anything illegal with it, he questioned whether it needed to be disclosed.

"Is that a disclosable incident?" Mr Abrahams asked. "That appears to be something where there's a need for clarity."

Privacy Commissioner Timothy Pilgrim said a mandatory notification scheme would provide confidence to all Australians that, in the event of a serious data breach, they would be given the opportunity to manage their personal information. "Notification enables people affected by a breach to take steps to protect their personal information; such as cancelling credit cards or updating log ins with service providers."

Submissions from the public concerning the draft bill are due by March 4.